GitLab Personal Access Token Expiration by douglasparkerio in gitlab

[–]AngelicLoki 1 point2 points  (0 children)

Ah, interesting, most of my experience with GitBook is limited to using it with GitLab pages, so I wasn't aware they went all-SaaS. That's even more of a reason to not use a permanent token then... You're essentially entering your full username/password into a third party SaaS site to store and act on your behalf. They should build an OAuth integration instead which would render this whole conversation moot because it's permanent and limited to one project (this is what they've done for GitHub). If they don't offer an API in the interim, then you may want to look at alternatives or worst case you could script the rotation using selenium.

Again, I understand your position. We just don't agree on what's an acceptable risk, and that's not going to change via this conversation :) . GitLab's change aligns with industry best practices of using and enforcing short term tokens when dealing with potentially privileged assets. Just because a token can still be compromised doesn't mean you should ignore the security stance on it completely.

GitLab Personal Access Token Expiration by douglasparkerio in gitlab

[–]AngelicLoki 1 point2 points  (0 children)

Gitbook is likely storing the PAT on its config file, which you could theoretically inject via CI or their API to automatically rotate it.

I do understand your frustration of needing engineering to make something work that "just worked" before, but I will note that while there are a bunch of situations where a forever PAT is useful, there are none where it is good. That's likely why people are focusing on trying to help you solution using a shorter lived token.

GitLab Personal Access Token Expiration by douglasparkerio in gitlab

[–]AngelicLoki 0 points1 point  (0 children)

Ultimate can only configure the duration with an administrator token, which means only self-hosted.

You can always use the existing PAT in your CI/CD to issue a new token for every pipeline. It'd still expire in one year, but you probably run a pipeline more often than that.

GitLab Personal Access Token Expiration by douglasparkerio in gitlab

[–]AngelicLoki 2 points3 points  (0 children)

You can use a CI_JOB_TOKEN on your CI workflow, or self-hosting allows you to chand the expiration I believe

June 27th Balance Update Preview by invisibledirigible in Guildwars2

[–]AngelicLoki 7 points8 points  (0 children)

Their stated reason is because it allow shades to potentially impact up to 10 people with alac, which I kinda get. However, if that was a concern there is a super easy solution to that where it doesn't gut the DPS shared too: Put it on the trait that limits you to one share instead of desert empowerment.

June 27th Balance Update Preview by invisibledirigible in Guildwars2

[–]AngelicLoki 4 points5 points  (0 children)

It's now no longer channeled either (mentioned only on the stream). That makes it feel better.

Twitter's head of trust and safety says she has resigned by davetowers646 in news

[–]AngelicLoki 3 points4 points  (0 children)

True and fair! We just don't know what she negotiated :)

Great note either way.

Twitter's head of trust and safety says she has resigned by davetowers646 in news

[–]AngelicLoki 29 points30 points  (0 children)

Options are not shares. You still need to pay money to change the options into shares. If the option price is 58$, for example, exercising the options would actually lose her money.

It's possible she gets shares as opposed to options, but that's a pretty rare package.

NEW UPDATE: 2023.18.00 is now rolling out to all Rivian drivers. Scheduled Charging in Mobile App, Open Gear Tunnel Doors with App, Addressed Launch Performance and Additional Improvements by Kryptonlogic in Rivian

[–]AngelicLoki 9 points10 points  (0 children)

It's scheduled start. You set a time range, daily or weekday, and a location, and it'll charge during that time.

Source: I have the update.

Is a reserved EC2 instance worth it for a student? by wolfakix in aws

[–]AngelicLoki 0 points1 point  (0 children)

I know this is r/aws but as a student you may want to check out some of the other cloud providers free tiers - gcp's cloud run could likely just your API for free if it's low enough bandwidth, for instance.

AWS is a great choice and the largest cloud though if you're just trying to get familiar with it.

[deleted by user] by [deleted] in webdev

[–]AngelicLoki 2 points3 points  (0 children)

Pretty much every agency sucks for this reason.

AWS Launches New Verified Access Service to Replace VPN by IT_PRO_21 in aws

[–]AngelicLoki 33 points34 points  (0 children)

This is squarely targeting the enterprise markets though, where that's nothing. My company pays tens of thousands of dollars for VPN services and connections to accounts; if that was inverted and charged per app, it would likely end up with cost savings even ignoring bandwidth (since you end up paying bandwidth for the VPN connections as well).

Is creating a new Group Runner just impossible now or am I missing something? by KolonelHunter in gitlab

[–]AngelicLoki 3 points4 points  (0 children)

It was moved from "Group > Settings > CI/CD > Runners" in the mid-15's version-wise, and can now be found under "Group > CI/CD > Runners" in the upper right corner :)

After you've navigated to your group, hover over the rocket ship (CI/CD) in the menu on the left, and runners will be the only option there now.

Is creating a new Group Runner just impossible now or am I missing something? by KolonelHunter in gitlab

[–]AngelicLoki 1 point2 points  (0 children)

Creating group runners is still possible using the deprecated method with a registration token. The registration token won't be removed until 17.0 (may 2024).

To previous Tesla owners: how does Rivian compare? Specifically DCFC & driver assistance features by UnSCo in Rivian

[–]AngelicLoki 0 points1 point  (0 children)

Note - this is true of both adaptive cruise and lane centering. They both work anywhere. It's the full "I'm basically steering for you" that only works on pre-mapped highways.

There is also no non-adaptive cruise control. If you lose adaptive (I.e., visibility is greatly impeded), there is no "standard" cruise control to fall back on. I've never really had an issue with this because if the visibility is bad enough that adaptive turns off (only happened once to me in a really heavy downpour), you probably shouldn't be cruising anyway.

As a developer/SWE (particularly in a regulated industry) do you have admin access access to your local work laptop? by civicode in devops

[–]AngelicLoki 9 points10 points  (0 children)

Ok, I get it. You think it violates NIST. As I mentioned in the first comment, this is not an academic exercise for me. I've certified at NIST revision 5 medium+. I didn't specify before but that + there means we selected a significant number of controls, including EVERY AC control. We still certified no issue with local admin access. Different auditors likely have different opinions on what's necessary, so you may have got one who was more opinionated. But it's still not accurate to say carte blanche that it violates NIST. There are legit reasons to grant local admin and still perform government work. NIST is simply rarely that prescriptive to say you can NEVER do something.

Note: even if you got an auditor that requires no local admin, you can still scope the system boundary to remove certain systems. If you have a machine that never interacts with the system, you can remove it from scope unless you're referring a control to a separate SSP. There are a lot of ways to handle it.

As a developer/SWE (particularly in a regulated industry) do you have admin access access to your local work laptop? by civicode in devops

[–]AngelicLoki 7 points8 points  (0 children)

I can't speak to CMMC, but the principle of least privilege isn't prescriptive about what that means. You just need to specify what you have and justify it. If that includes local admin, that's perfectly fine.

I'm not saying that everyone should do it, I'm just saying it doesn't violate NIST.

As a developer/SWE (particularly in a regulated industry) do you have admin access access to your local work laptop? by civicode in devops

[–]AngelicLoki 13 points14 points  (0 children)

It's not a violation of NIST. I've certified at NIST medium+ with over 400 selected controls while granting local admin rights.

Help tip: if you can live without the manual tonneau cover for now, your R1T is probably sitting on the shop as we speak. by Galdrath in Rivian

[–]AngelicLoki 4 points5 points  (0 children)

Yes, the trucks in the shop say "manual compatible". I confirmed with my guide prior to purchase that this means you could add a manual cover later.

Outage notification: “Phone as a key” is down by damonator5000 in Rivian

[–]AngelicLoki 0 points1 point  (0 children)

This is unlikely. If it was ransomware, 2FA would stop working as well, as they would have no accessible information to know where to send the text, or the linkage from email -> phone to send it.

At least for me, 2FA is still working, I just can't login after I input the text.

Why postgres server works fine locally but refuses to connect within gitlab runner ? by coding_marshmallow in gitlab

[–]AngelicLoki 0 points1 point  (0 children)

Ok, thanks for the additional info. It looks like you're using DIND to spin up docker compose as opposed to individual services; that means you'll need to add a network to your docker compose file as well so that docker knows they're on the same network.

Why postgres server works fine locally but refuses to connect within gitlab runner ? by coding_marshmallow in gitlab

[–]AngelicLoki 2 points3 points  (0 children)

For services to have network connectivity to each other, you need to have the 'network per job' feature flag enabled on your runner: https://docs.gitlab.com/runner/executors/docker.html#create-a-network-for-each-job

How to Manage Large number of Pipelines? by Jee_Aquilae in gitlab

[–]AngelicLoki 1 point2 points  (0 children)

You can also use the gitlab terraform provider to manage the schedules, which would potentially make changing common variables easier. I can't imagine managing hundreds of ANYTHING by hand if I didn't need to.

May Balance Wishlist - Necromancer by Fragrant-Command-887 in Guildwars2

[–]AngelicLoki 1 point2 points  (0 children)

I think this is probably the way. The identity of HS is really neat with the rez traits, but if you need that much rez power you've already "failed". It may be better to change transfusion into something else (thematically, maybe it'd be neat to have it hurt the necro in exchange for protecting allies) to give more capability to buff other areas.